Trends & Threats Briefing, February 2019

Welcome to your source for February 2019’s news about TLS, SSL, PKI, IoT, encryption, identity and digital certificates.

Click on any headline below to jump to its summary and external news source.

If you’d prefer having this news presented to you, view/hear the on-demand recorded webcast here. Also check out the rest of our webinars and videos on DigiCert’s channel on the BrightTalk network.

Co-brandable versions (focusing on TLS & SSL, financial impacts and miscellaneous news) are available to our Certified Partners via Vimeo for marketing purposes or as an .M4A for podcast usage.

If you would like an .MP4 file of the video or if you have any corrections or suggestions, please contact us.

TLS & SSL

Understanding the undoing of underscored certs

TLS 1.3 is default setting in iOS 12.2

Chrome tackles mixed-content situations

PKI & IoT

Industrial IoT security, privacy and safety study released

ETSI releases consumer IoT cybersecurity standard

$€¢ure£¥ — The financial impact of (in)security

FTC and Facebook square-off on privacy punishment

Hacked Irish tram system’s website held for 1 BTC ransom

Cryptocurrency founder couldn’t take it with him – nor can anyone else access it

It takes money to make money – but also to protect it

Hash – More news of mutual interest

NIST lists 2nd round candidates in PQC Standardization Process

ICANN warns against DNSpionage

Apple revoked Facebook & Google developer certs over license/privacy violations

Chrome to make it tougher for sites to prevent Incognito Mode browsing

Stranger Than Fiction!

HasMyHotTubBeenPwned?

Turning the throne into a ticker-tracker

Apple sued for ‘forcing’ 2FA upon users

Good News

Foundation successfully laid for quantum-resistant IoT device certs

Spending increases globally on IT security tools, staff and hiring

Decrypters available for GandCrab 5.1 & Aurora ransomware

TLS & SSL

Understanding the undoing of underscored certs

Last month, CAs and browsers caught up with RFC 5280 of the Internet Engineering Task Force (IETF), which necessitated the January 15, 2019 revocation of certificates securing fully qualified domain names (FQDNs) with underscore characters but valid for more than 30 days. The CA/Browser Forum’s Ballot SC12 sunsetted the use of such certificates, providing a time for subscribers to transition away from the use of FQDNs containing underscores, by changing the affected FQDNs, or by using Wildcard certificates or Private CA certificates instead. These underscore certificates will still be permitted for use until April 1, 2019, with the caveat that such certs would not be valid for more than 30 days. Beginning after the last day of April 2019, DNSName and FQDNs must not contain underscore characters.

https://cabforum.org/2018/11/12/ballot-sc-12-sunset-of-underscores-in-dnsnames/

https://bugzilla.mozilla.org/buglist.cgi?product=NSS&component=CA%20Certificate%20Compliance&bug_status=__open__

TLS 1.3 is default setting in iOS 12.2

Apple announced to the IETF that it’s enabled TLS 1.3 by default for the entirety of iOS 12.2. Specifically, all users of Network.framework and NSURLSession APIs will now utilize TLS 1.3. (In January’s briefing, we mentioned that the IETF’s RFC for HTTP/3 would likely be finalized when all the major browsers support TLS 1.3.) Given Apple’s prominent footprint in mobile devices and therefore upon worldwide network connections, the iOS move will boost the number of TLS 1.3-capable clients on the Internet and likewise advance towards finalization of the HTTP/3 RFC.

https://mailarchive.ietf.org/arch/msg/tls/5QjzTilqjomSyzENtgfaAqQOhbA

Chrome tackles mixed-content situations

You’ve seen those “mixed content” warnings in various browsers, triggered when a page is served over HTTPS, but one or more page elements (usually images) are served from sources which don’t invoke TLS or SSL. While this mixing of content is concerning to anyone who desires a secure browsing experience, the average user has no idea what the warnings actually mean. Worse, untangling multiple pages’ source code can be a headache which some site developers wish to avoid. Tackling this situation, Google engineers rolled out an experiment in Chrome where they configured the browser to automatically upgrade any mixed content to full HTTPS by dynamically changing the URL of HTTP resources over to HTTPS. Google believes that “most of the content delivered over HTTP in HTTPS sites is either available over HTTPS and can be transparently upgraded, or doesn’t impact the user experience,” so the test could determine “how feasible it would be to auto-upgrade all or a subset of mixed content.”

https://www.zdnet.com/article/google-is-running-an-auto-update-to-https-experiment-in-chrome/

https://docs.google.com/document/d/1dp-kuN25wnEbMPNWBxM8LvOjyeydWpXPklNnGcsWK1o/edit

Back to top

PKI & IoT

Industrial IoT security, privacy and safety study released

There’s more to the IoT than just consumer devices. Maturing as its own massive subset of the IoT along with its own derivative acronym, the growth of the Industrial Internet of Things (IIoT) has adopting-organizations concerned over cybersecurity, safety and data privacy. Privacy and information security research firm, the Ponemon Institute, is releasing its “2019 Safety, Security & Privacy in the Interconnected World of IT, OT and IIoT study” to understand those organizational concerns. Focusing on the successful convergence of IT and OT control systems, the study looks at how organizations manage privacy in the IIoT while protecting its surface area of cyber threats exposure, all without dips in safety and reliability. “Improving overall cybersecurity maturity will play a deterministic role in the success of a digitalization roadmap where the focus is to improve digital services in a complex and interconnected ecosystem” commented Urmez Daver of the TÜV Rheinland, with whose OpenSky group the Ponemon Institute collaborated on the study. Not to leave our colleagues across the Atlantic, Mr. Daver noted that the OpenSky group was “pleased to see that the outcome of the study reflects a similar prevalent opinion of cybersecurity practitioners across North America.”

https://www.globenewswire.com/news-release/2019/02/06/1711442/0/en/Ponemon-Institute-Releases-2019-Study-on-Managing-Safety-Security-and-Privacy-in-the-Interconnected-World-of-IT-OT-and-IIoT.html

ETSI releases consumer IoT cybersecurity standard

The European Telecommunications Standards Institute (ETSI) released cybersecurity standard for the IoT, hopefully establishing a security baseline for connected consumer products and providing the basis for future IoT certification methods. Many of our Briefings in 2018 covered IoT devices being exploited for unintended use, getting hacked, and threatening consumers’ privacy. The new specification, TS 103 645, addresses these matters with high-level security provisions for IoT consumer devices and their corresponding services. The spec includes requirements against use of universal default passwords for a vulnerability disclosure policy which allows reporting of security issues, and for encrypted communications between devices and their motherships. The spec also includes mandates that login credentials and identity data is stored securely on devices and in services, without hard-coded credentials being stored in device software. “The potential benefits of the IoT will be achieved only if products and services are designed with trust, privacy and security built in, so consumers feel they are secure and safe to use. …It should be a landmark specification for consumers and industry alike” commented Stephen Russell, Secretary-General of ANEC, the organization representing consumers in standardization, and an ETSI member. NCC Group’s global CTO, Ollie Whitehouse, added that “as global standardization moves ahead, manufacturers in every country need to understand that an international supply chain is no longer an excuse to ignore good security practice. Manufacturers around the world should take the right steps now to build an appropriate level of security into their products.” And the ETSI spec should go far towards enabling that, worldwide.

https://www.helpnetsecurity.com/2019/02/20/consumer-iot-cybersecurity-standard/

Back to top

$€¢ure£¥

FTC and Facebook square-off on privacy punishment

The United States Federal Trade Commission (FTC) is reportedly negotiating with Facebook to determine a record-breaking multi-billion dollar fine, in settlement of the FTC’s investigation into Facebook’s privacy practices. While the sides have not agreed on an exact amount for the fine, it looks like it would be the largest ever imposed by the FTC on a technology company since 2012 when Google broke an agreement with the US government to safeguard consumers’ data. Google paid a settlement of US $22.5M for that untangling; although that’s multiples of millions of dollars, it pales in comparison to the multi-billion dollar fine expected in the Facebook matter. Moreover, the FTC’s punishment of Facebook might not only be monetary; it could also force the social network to submit to tougher checkups to ensure it is complying with the settlement. Alternatively, trying to resolve the matter in court doesn’t seem like a good option for either party: doing so would place the FTC’s authority over tech giants under the glaring spotlight of a high-profile judicial review – and a lawsuit would probably further damage Facebook’s reputation. “They’re hemorrhaging users, they’re hemorrhaging trust, and I think this would only exacerbate the problem,” said Justin Brookman, director of consumer privacy and technology policy for Consumer Reports.

https://www.washingtonpost.com/technology/2019/02/14/us-government-facebook-are-negotiating-record-multi-billion-dollar-fine-companys-privacy-lapses/

Hacked Irish tram system’s website held for 1 BTC ransom

The website of Dublin, Ireland’s Luas tram and light rail system was hacked, and its perpetrator left a defacement message demanding a ransom payment of 1 Bitcoin (BTC) in exchange for the personal data of over 3,000 of the system’s users. The hack doesn’t appear to have come out of nowhere, as the hacker previously warned Luas about “serious security holes” in their website, which Luas apparently ignored. When the defacement message subsequently became a promise-made-good, the attacker replied, “you are hacked some time ago I wrote that you have serious security holes you didn’t reply the next time someone talks to you press the reply button you must pay 1 bitcoin in 5 days otherwise I will publish all data and send emails to your users.” Luas acknowledged the hack publicly and clarified that 3,226 recipients of its newsletter may have had their data stolen, but that did not include their financial data.

https://www.hackread.com/irish-tram-system-website-hacked-helf-for-ransom/

Cryptocurrency founder couldn’t take it with him – nor can anyone else access it

When Gerry Cotten died (he was the founder, and sole director and officer of the Canadian cryptocurrency QuadrigaCX), apparently all access to the offline wallet which stored the C$180M of its customers’ assets died along with him. Mr. Cotten’s widow has sworn in an affidavit that the founder followed a standard security practice by storing the wallet offline – specifically, on an encrypted laptop to which only Cotten had the password. While that practice earns the late Mr. Cotten kudos, unfortunately all the exchange’s value is currently inaccessible to it’s over 100,000 customers. That’s because, according to the widow’s testimony, “the laptop computer from which Gerry carried out the Companies’ business is encrypted, and I do not know the password or recovery key. Despite repeated and diligent searches, I have not been able to find them written down anywhere.” Her search includes both physical forms (like Post-It Notes on which many shamefully write their passwords) but also electronic forms (such as documents, emails and messages) which, if they even exist, are encrypted anyway.

https://arstechnica.com/information-technology/2019/02/digital-exchange-loses-137-million-as-founder-takes-passwords-to-the-grave/

It takes money to make money – but also to protect it

Organizational budgeting to detect, prevent or respond to a cyber security incident is shockingly low, especially among small and unregulated businesses, if a new study of organizations in India is any indication. The India edition of the latest EY Global Information Security Survey surveyed 230 Indian C-suite leaders in organizations of all sizes and found that just 19% of their organizations have budgeted for cybersecurity and resilience. Although 69% did budget for prevention and protection, the spending was surprisingly low, as was cross-functional employee awareness on how to protect company information and assets. Jaspreet Singh, an Advisory Services partner at EY, colored the facts further: “There is a challenge between growth versus putting controls in place. But what they don’t understand is that any cyber incident can today wipe out their entire growth. If you look at all industries, forget having cyber security strategies or controls in place — a lot of them don’t even have a full time Chief Compliance Officer or Chief Technology Officer who understands the technology.” The report does show higher levels of prevention and readiness in banking, insurance, financial services, technology media and telecommunications verticals, but that’s likely because those sectors have mandates and laws in place, which require that readiness.

https://economictimes.indiatimes.com/small-biz/sme-sector/a-cyber-security-incident-can-be-catastrophic-for-small-businesses/articleshow/67995513.cms

Back to top

Hash

NIST lists 2nd round candidates in PQC Standardization Process

The US National Institute of Standards and Technology (NIST) announced the 9 candidates moving onto the 2nd round of the NIST Standardization Process for digital signatures for Post-Quantum Cryptography (PQC). Among the finalists was Microsoft Research’s Picnic algorithm; more about that later. The NIST PQC team welcomed those whose schemes were not selected to apply their expertise by evaluating and analyzing the 2nd- and future-round cryptosystems. The teams for the selected 9 specs and implementations are allowed to update and tweak their submissions through a shortened deadline of March 15, 2019, after which the next phase of evaluation and review will begin and is expected to last for up to 18 months. And after that, NIST expects to either have a final list or choose to undergo a third round of evaluations.

https://groups.google.com/a/list.nist.gov/forum/#!topic/pqc-forum/bBxcfFFUsxE

ICANN warns against DNSpionage

Notably following last month’s US government warning about DNS attacks, it’s time for everyone in the chain of trust, from sites to consumers, to sit up and take notice when the CTO of the Internet Corporation for Assigned Names and Numbers (ICANN) says “all of your customers are only as secure as you are.” And that’s what’s behind ICANN’s post-emergency-meeting declaration that there exists “an ongoing and significant risk” of malicious attacks targeting the DNS. DNS attacks are a technically simple version of a man-in-the-middle attack, where a user’s internet communications are redirected on their way to their intended address. Sometimes victims are redirected somewhere else, often when an attacker impersonates the intended address – and this is often referred to as spoofing. However, if such an attack sends the traffic where it was supposed to go, the attacker is usually snooping on the data along the way, if not also collecting it. “This is roughly equivalent to someone lying to the post office about your address, checking your mail, and then hand delivering it to your mailbox… Lots of harmful things could be done to you (or the senders) depending on the content of that mail,” explained the US Department of Homeland Security. In these recent cases, which brought about the urgent ICANN meeting and subsequent warning, internet service providers and large government entities were targeted. Adam Meyers, vice president of intelligence at CrowdStrike added, “You definitely need knowledge of how the internet works, and you have to handle a lot of traffic being directed to you,” which leads many to believe that these attacks are the work of nation states. …We gently remind of the importance of site and server validation: There are two functions of TLS & SSL certificates, and they don’t just encrypt traffic, but equally they also can demonstrate that it’s actually, really the website that it claims to be.

https://www.securityweek.com/warning-issued-over-attacks-internet-infrastructure

Apple revoked Facebook & Google developer certs over license/privacy violations

Apple made a gutsy privacy-policy-guided move to revoke Facebook’s and Google’s iOS enterprise certificates, which allowed internal iOS apps to be deployed within a licensed enterprise’s environment, instead of via the Apple app store. However, both were found to violate the enterprise development license in different ways, and first came the Facebook revocation, then the Google revocation just days later. Facebook had paid people aged 13 to 35 up to $20 a month for non-App Store installation and usage of Facebook’s Research VPN app, which allowed Facebook to observe virtually all activity taking place on the phone. Apple had previously banned Research VPN from the App Store for violating their data privacy rules. Separately, Google deployed a similar iOS application outside of the App Store, called Screenwise Meter. The app allowed Google to monitor the phones of users and collect data from them, who were compensated via gift cards. The difference in the situations seems to be that Facebook didn’t stop its distribution before Apple revoked their certificate, but Google did. After the impact of the revocations were felt by Google and Facebook employees who suddenly found their employers’ actually-internal iOS apps to be non-functional, Apple soon restored the companies’ enterprise certificates. The short punishment demonstrated the power which Apple wields in the iOS ecosystem, even over other tech giants. Competition between tech titans aside, industry followers praised Apple for ensuring their privacy standards will be followed.

https://www.theregister.co.uk/2019/01/30/facebook_apple_enterprise_certificate_revocation/

https://arstechnica.com/gadgets/2019/01/facebook-and-google-offered-gift-cards-for-root-level-access-to-ios-users-data/

Chrome to make it tougher for sites to prevent Incognito Mode browsing

Some websites do not like Chrome’s Incognito Mode because they believe it allows users to get around limited access to content, like when a newspaper or magazine limits you to reading just a few articles before you must pay for access. So those sites have taken advantage of a longstanding loophole, which reveals that a user is in Incognito Mode, allowing them to deny content access to those users until they turn the mode off. Here’s how it works: Chrome’s FileSystem API can leave behind files which pose possible privacy risks, so Chrome makes the API unavailable when users are browsing in Incognito Mode. By attempting and failing to invoke the API, a website can quickly discover whether Incognito Mode is in use. Users’ privacy intentions being what they are, Google plans to change FileSystem API so websites cannot perform this loophole check.

http://www.engadget.com/2019/02/18/google-chrome-incognito-mode-blocking/

http://www.bleepingcomputer.com/news/google/google-fixing-chrome-api-to-prevent-incognito-mode-detection/

Back to top

Stranger Than Fiction!

HasMyHotTubBeenPwned?

The UK’s Pen Test Partners group has documented that 26,000 hot tubs can be hacked and controlled remotely; worse, that the hot tubs are pwnable because of their app-based controller doesn’t employ any authentication process – and even worse, the database mothership where the hot tubs call home includes geolocation data, which means anyone can know where your hot tub is and can deduce when you’re in it. The Balboa Water App is used to control hot tubs made by the Balboa Water Group, and its capabilities include temperature control, which can result in scalding or freezing temperatures, and perhaps also usage and waste of a lot of electricity. And since jets are usually only used when someone’s in the tub, an attacker could control the hot tub’s pumps such that the victim would think their hot tub is malfunctioning (as if out-of-control temperature wasn’t the first clue. It turns out that the Balboa Water Group was surprised to learn of the attack capabilities, since their app has been available for over 5 years now with no reported incidents. While the company is busy improving its authentication processes and working on its app’s security, hot tubbers are urged to not use their tubs’ remote-control function.

https://www.hackread.com/internet-connected-hot-tubs-vulnerable-remote-attacks/

https://www.pentestpartners.com/security-blog/hackers-in-hot-water-pwning-smart-hot-tubs-yes-really/

Turning the throne into a ticker-tracker

Any hotel housekeeper, homeowner, parent or college fraternity member can list some pretty surprising, non-traditional things that can be excreted at a toilet, but a group from the Rochester Institute of Technology in the United States have created a toilet seat through which you can simultaneously deposit your heart rate, stroke volume and blood oxygenation level. The team published an article in a healthcare journal about a study employing a “toilet seat-based cardiovascular monitoring system (with) clinical grade accuracy,” where the seat would sit not in a clinic, but at home (moreover on the john), a place where this kind of deposit “has been previously unattainable.” Alas, the study’s flaw was quickly noted, since participants were sitting on the throne to have their vitals measured, not for, um, the usual reasons one sits upon the perch. It’s the latter of those activities which minor stress on the body in real-time, and therefore alter what’s being measured by the PHI-collecting commode. Hence the team will presumably work out toilet seat algorithms which can identify and avoid when throne-bearers are straining for any reason, as such strains could affect the toilet seat’s readings and unnecessarily indicate that the depositor needs urgent medical care.

https://www.theregister.co.uk/2019/02/04/toilet_seat_heart_rate/

https://mhealth.jmir.org/2019/1/e12419/

Apple sued for ‘forcing’ 2FA upon users

You’ve heard of the timeless choice between security and convenience. It seems that a New York resident named Jay Brodsky wishes to make that choice but believes Apple has made it for him – and the decision was in favor of security, not convenience. So Mr. Brodsky is suing Apple because it requires users to utilize two-factor authentication (2FA) to access some features – and doing so causes repeated losses of 2–5 minutes of his life, resulting in “economic losses.” Not quite clear is Mr. Brodsky’s claim requesting that Apple return the “ill-gotten gains” which Mr. Brodsky believes Apple has made from 2FA. The suit centers upon choice, claiming that Apple enables 2FA without giving users the lasting option to turn it off. The lawsuit goes on to state that Apple is in violation of the section of the California Penal Code known as the Invasion of Privacy Act, another section known as the Computer Crime Law, and yet another section known as the Computer Fraud and Abuse Act. Presumably, many more 2–5 minutes of Mr. Brodsky’s life have been wasted than the many more minutes needed to sue Apple.

https://nakedsecurity.sophos.com/2019/02/12/apple-sued-for-forcing-2fa-on-accounts/

Back to top

Good News

Foundation successfully laid for quantum-resistant IoT device certs

Researchers from Utimaco, Microsoft Research and DigiCert announced the successful test of a newly created algorithm with digital certificates used to encrypt, authenticate, and provide integrity for Internet of Things (IoT) devices. Using Microsoft research’s quantum-safe digital signature algorithm named Picnic, implemented and minted into certificates by DigiCert, using an Utimaco Hardware Security Module, the test’s success is a fundamental step toward developing security solutions for protecting the IoT from brute-force encryption methods expected to become available in the next 10-15 via the advent of quantum computing. While 2034 may seem so very far in the future, the lifecycles of evolving technology products like connected cars, smart homes, connected cities, and connected medical devices will easily extend over and past those 10–15 years. Brian LaMacchia, Distinguished Engineer and head of the Security and Cryptography Group at Microsoft Research, explained that the collaboration resulting in the successful test “is important to develop quantum-secure cryptographic algorithms, protocols and solutions today so that in the near future enterprises will be able to transition to and deploy quantum-safe cryptography. Working to ensure that their solutions are cryptographically agile will help companies avoid expensive and unscalable security practices to protect their IoT devices against future security threats.”

https://www.darkreading.com/iot/picnic-passes-test-for-protecting-iot-from-quantum-hacks/d/d-id/1333855

Spending increases globally on IT security tools, staff and hiring

Thanks to both the raised consciousness of recent data breaches as well as increasing privacy regulations, a new study from eSecurityPlanet reveals that large enterprises are spending aggressively on IT security measures. The new State of IT Security survey, which polled eSecurityPlanet subscribers from security engineers up to C-level executives in January, revealed that 54% of companies will increase their IT security spending this year – and a good portion of those will spend 10–20% or more compared to 2018 levels. This largely corroborates Gartner’s prediction of an 8.7 percent increase in IT security spending for 2019. The eSecurityPlanet study also indicated increases in hiring demand for IT security staff with approximately 57% of organizations expecting to hire additional security staff in the next 12 months. Topping the list of spending priorities were network access control (NAC) and web gateways (which keep attackers at bay), and data loss prevention (DLP, which works to prevent unauthorized parties from exfiltrating sensitive data. Of course, we’d be delighted for any customer to add the most advanced and best-authenticated digital certificates and cert management tools, which can encrypt data traveling across any exposure point, and help validate that it’s traveling to (or from) servers which are controlled by exactly who they claim to be operated by.

https://www.esecurityplanet.com/network-security/survey-2019-businesses-accelerate-spending-hiring.html

Decrypters now available for GandCrab 5.1 & Aurora ransomware

We’ve reported enough about ransomware in 2018 that we’re delighted to see regular releases of ransomware decrypters – and 2 new decrypters are now available. The GandCrab decrypter has been updated to support up to version 5.1. A continuing collaboration between Bitdefender, Europol and the Romanian police, the tool is available for free download and has helped almost 10,000 users whose ransom payments would have totaled over US $5M. Separately, developer Michael Gillespie has released a decrypter for the Aurora Ransomware. Aurora is spread by hackers attacking computers running Windows Remote Desktop Services, encrypting files, then demanding a ransom in bitcoins in exchange for the decryption key to unlock those files (seen with a .Nano extension). The Aurora decrypter is also free, and users can further utilize CryptoSearch to move all the encrypted files into one folder for archiving or deletion.

https://www.bleepingcomputer.com/news/security/gandcrab-decrypter-available-for-v51-new-52-variant-already-out/

Back to top